[Snort-sigs] snort-sigs

Bill McCarty bmccarty at ...483...
Tue Apr 2 04:07:38 EST 2002

# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id$

Rule:  DOS MSDTC attempt

Sid: 1408

A TCP packet having a large payload was detected. This is a possible 
indication of an actual or impending denial of service attack against a 
host running the Microsoft Distributed Transaction Service Coordinator 


According to Bugtraq, sending such packets to MSDTC can cause the server to 
crash, resulting in a host denial of service. Restarting the service will 
enable it to resume normal operation.

Detailed Information:

According to Bugtraq, MSDTC is installed by default on Windows 2000. It is 
also installed by default with Microsoft SQL Server, versions 6.5 and 
later. According to Microsoft TechNet, the service is required by Internet 
Information server. The service listens by default on port 3372.

According to the original reporter, Windows 2000 SP2 is vulnerable to this 
attack, which does not invariably succeed. The original report was dated 
January 31, 2002. As of March 30, 2002, no patch to fix the vulnerability 
was known to exist. Moreover, Microsoft was not known to have confirmed the 
existence of the problem.

Attack Scenarios:
Under Unix, use /dev/random to generate 1024 bytes of random data and pipe 
the data to the target host and port via netcat (Source: SecurityTracker). 
The attack does not depend on two-way communication with the victim, so the 
source IP address can be spoofed by using a packet crafter.

Ease of Attack:
The attack can be easily mounted, using any tool that can send crafted 
packets or Unix commands.

False Positives:
Linux FTP servers and clients frequently transfer TCP packets having a 
payload size larger than 1023 bytes. To distinguish a false positive, 
determine whether MSDTC is running on the indicated destination source and 

False Negatives:
The Snort rule examines only the payload size. Therefore, false negatives 
are unlikely unless MSDTC is vulnerable to smaller packets than currently 

Corrective Action:
To manage the vulnerability, configure the system not to autmatically start 
the MSDTC (Source: Security Operations Guide for Windows 2000 Server). 
Alternatively, configure firewall rules to limit access to the service. To 
eliminate false positives, revise the Snort rule to specify IP addresses of 
only those hosts actually running the service.

Originally reported by palante at ...484...
Snort signature description by bmccarty at ...483...

Additional References:
bugtraq <a 
Microsft TechNet <a 
curity/tools/iis4cl.asp">Security Operations Guide for Windows 2000 
Server</a> <a 
hive/transsrv/mtxpg03.asp">How Does MTS Work?</a>
odtechnol/sql/maintain/featusability/c08ppcsq.asp">Linked Servers and 
Distributed Transactions</a> <a 
curity/prodtech/windows/windows2000/staysecure/secopsb.asp">Default Windows 
2000 Services</a>
SecurityTracker <a 

Bill McCarty

More information about the Snort-sigs mailing list